This invention pertains in general to detecting computer viruses in a computer system and in particular to reducing the number of false positive virus detections.
Modern computer systems are under constant threat of attack from computer viruses and other malicious code. Viruses often spread through the traditional route: a computer user inserts a disk or other medium infected with a virus into a computer system. The virus infects the computer system when data on the disk are accessed.
Viruses also spread through new routes. A greater number of computer systems are connected to the Internet and other communications networks than ever before. These networks allow a computer to access a wide range of programs and data, but also provide a multitude of new avenues with which a computer virus can infect the computer. For example, a virus can be downloaded to a computer as an executable program, as an email attachment, as malicious code on a web page, etc. Moreover, a virus can use more sophisticated means, such as a buffer overflow attack, to infect a computer system.
Accordingly, it is common practice to install anti-virus software on computer systems. The anti-virus software monitors for the presence of a virus, and triggers an alert or performs another action if it detects a virus. Since new viruses are constantly being produced, vendors of anti-virus software provide frequent software updates in order to provide effective virus detection.
A delay in detecting the presence of a virus can cause a tremendous amount of damage and lost productivity. Therefore, anti-virus software vendors deploy software updates as quickly as possible. The updates may generate false positives because it is practically impossible for the vendor to test the virus detection techniques in the software updates against all legitimate files and other configurations of data that may be present on the customers' computers.
The vendor can take certain steps to reduce false positives. For example, the vendor can perform a public beta or other external test before releasing software updates on a wide scale. However, customers are often reluctant to adequately test the new software. For example, a customer having a large number of computer systems may be reluctant to install unproven technologies on the systems. The vendor can also perform more comprehensive internal testing of the software updates. However, this testing does not completely eliminate the risk of false positives and the resulting delay may place the vendor at a competitive disadvantage. As a result, vendors occasionally release software updates that cause a large number of false positive virus detections.
Therefore, there is a desire in the art to reduce the occurrence of false positive computer virus detections. Preferably, a solution meeting this desire will allow a vendor to release a software update for detecting new viruses while reducing the risk that the software update will trigger a large number of false positives. The solution will also preferably allow the vendor to quickly determine and eliminate any causes of false positives.